As part of a compliance audit, I need to run a routine scan that verifies that our firewalls are performing stateful packet inspection on incoming packets. I have a dedicated server outside our network, on which I can run nmap or whatever software I need to, and scan the external port of our firewall.

The compliance audit manual says I should "run NMAP on all TCP ports with “syn reset” or ”syn ack” bits set", and that a response means 'packets are being allowed through even if they're not part of a previously established session'

What are the nmap switches I need to scan a range of IP addresses - in this case a single /28 subnet - and report on which ports are open and whether the firewall is performing SPI?

The option -sA is a good approach for this. Though the better way to know, if your firewall it's performing stateless or statefull filtering, is by seeing the conf file or the configuration in general.

A way to achieve this with nmap would be this: First do a -sS (syn scan) scan on all ports and see what ports are filtered. Then perform an -sA (ack scan) scan and if the same ports received the result unfiltered it's most likely your firewall not performing statefull filter.

This is all, more or less, in the nmap man page. Read about -sA and --scanflags and you should be able to figure it out.

Perhaps I was too brief here. Apologies.

Along with what was in the second answer you can use the --scanflags argument to set whatever flags you want - for "syn reset" you would use --scanflags RSTSYN. If you also specify -sS (to do a "syn scan") you'll have the responses interpreted correctly, with nmap interpreting no response as a closed port, which I think is what you want.